An automatic analysis and detection tool for Java exploits

Xinran Wang Palo Alto Networks

  download slides (PDF)

Java vulnerability is becoming the most popular exploit vector in the wild. Three zero-day Java vulnerabilities were found in the wild in just the first two months of 2013. Due to the wide deployment of Java in browsers and the high reliability of Java vulnerability, Java exploits are heavily used in numerous infamous exploit kits such as Blackhole and Redkit. According to VirusTotal, the number of Java exploit samples submitted have increased from 8,000 at the beginning of this year to 300,000 at the beginning of March. It is very challenging to accurately identify the vulnerabilities, if any, used in the Java exploit samples. This is not only because of the huge volume of exploit samples, but also the advanced obfuscation technique used.

In this paper, we first explain the Java security model and demonstrate several recent zero-day exploits, and show why Java vulnerability is much more reliable than buffer overflow. Several Java exploit samples from popular exploit kits are dissected. We analyse common obfuscation techniques used and show why static analysis is ineffective for analysing Java exploits. Then, we present a dynamic analysis tool. The tool records calls to the Java Core API during the execution of a Java exploit. The recorded API traces are used to identify known vulnerabilities. Furthermore, we propose several heuristics in the tool used to identify zero-day exploits. Finally, we report the results of an experiment based on over 5,000 Java exploit codes and 5,000 benign Java applets collected in the wild. The results shows that the tool identified known vulnerabilities of exploit code with very few positives and false negatives.

VB2013 takes place 2-4 October 2013 in Berlin, Germany.

The full programme for VB2013, including abstracts for each paper, can be viewed here.

Click here for more details about the conference.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.